Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 18:05

General

  • Target

    1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe

  • Size

    414KB

  • MD5

    1dbab2dfd53fa6481e4f349d74ca6798

  • SHA1

    96301fd3a1d6c4a4c79af509b1601061c7296f94

  • SHA256

    3a903150a230d5a6f08058cddedf503aa25076b489690a092b3ee46298cfd531

  • SHA512

    9aeb8ead2f4254d8f6e8d900cc5904f0950867d9c6aecb660c2c5fc75c80699b34921caaf991505a215bc798dba0b074de53b7509a44d4a15b2b1f3a98ae659d

  • SSDEEP

    6144:bHnBfTXqlbSpwEiCbjKDVVH4q9D9izTG+mBoaXjauY4/2FE:bBqbgwb/DVVH4yD9i25BoarYzFE

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

smithhk.ddns.net:4782

Mutex

963de217-df7f-4e6b-92bd-1e43f6c4f226

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-04-27T02:01:46.610026136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    4782

  • default_group

    Frosh Benz

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    963de217-df7f-4e6b-92bd-1e43f6c4f226

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    smithhk.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Drops startup file 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1dbab2dfd53fa6481e4f349d74ca6798_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2665.tmp" "c:\Users\Admin\AppData\Local\Temp\1i033x1w\CSC677D710CA27C4C24A8AC3AA7EF177BF0.TMP"
        3⤵
          PID:2488
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /query
        2⤵
          PID:2540
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /sc MINUTE /tn Intel /MO 1 /tr "C:\Users\Admin\AppData\Roaming\null\
          2⤵
          • Creates scheduled task(s)
          PID:1680
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2420
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {DDD22CF5-D4E7-43A0-8ABB-9225C7372A25} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
        1⤵
          PID:2436

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.dll

          Filesize

          9KB

          MD5

          1eb72ef87f3b3192a85d7baaf0bba5de

          SHA1

          224ac941518bce99fd86c1915ceea0811580b8e2

          SHA256

          e850b72396bd1d0a3e044179a0cf90036660cf1bdfa1b1aab189ba70cf0305c3

          SHA512

          77c188baa0378318702ff03abd47c66561845ecc67f3902a0df68f5233a108e73d01aecc0cc4a9ad005e89773bddd1cc844780c99851370e1b9ebd1dbf00abc7

        • C:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.pdb

          Filesize

          25KB

          MD5

          17d7c39ee60c41a171399224f5fe875f

          SHA1

          236b90ec2dc254222d89e8637790cb14c619da20

          SHA256

          82fbe1e585d1f1ada97935c76852caf4a641b995d02a69e1bbc471a6100f8fcb

          SHA512

          1578427a0a50d29b4bfbf1feeb9165e3c6aa5a792b43ba3d77851e2fdc69170b86aea88adc412c4e441740b57453571369365f0990d8e93ab50d916fd261d4a1

        • C:\Users\Admin\AppData\Local\Temp\RES2665.tmp

          Filesize

          1KB

          MD5

          f94dffec592d234baba7811193fc96ec

          SHA1

          f034ffe0603e7dee7478121f7e57efdb360eea81

          SHA256

          3362c95afa86e1ed2e81ad9fb1b07d50a9e36fa83e52565f59885f4c4223687e

          SHA512

          2b716aee6bd593925e6484093f43af0f837b48b0b54ce8cc7d04f51fa77d631639d409c46e4b3f023093783e5226e44ed324467979c05b605cff2bf14a06b74e

        • \??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.0.cs

          Filesize

          10KB

          MD5

          21cd1b3e77c3f770205babc7a862c6ef

          SHA1

          ee71e8ef404a95d7f77e2421d5892f349d0fc2be

          SHA256

          905250aa3670ddec5a3a4d3c2427190f973fe3c669b030884b5ef7da6339b075

          SHA512

          806ce8d2162864331b29ebb1fe0bf814965db9077c537d5a0b9c13294c1edcba6e11c5f929824a3aef8680097e0322c09481f4aaa450cceee788591f6d2441b4

        • \??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\1i033x1w.cmdline

          Filesize

          312B

          MD5

          b62b62d8c2cfabf7f7b97cbd0dbeb6ce

          SHA1

          84179fb86a0c94ebb345f62df97fe71fce25624f

          SHA256

          0e70c70e6de83eeaa875d7cb726095edc2671c050df658ec07f97acaa0ffacd5

          SHA512

          1a012aa5a894ef4b002ce79c77ebd2b0853fdc10f2eaec8025bbbed7dd4c0aa41fdb8fba2375f8e39f690884cfd09f746fe956c01a4beac24583eac0bc6fd498

        • \??\c:\Users\Admin\AppData\Local\Temp\1i033x1w\CSC677D710CA27C4C24A8AC3AA7EF177BF0.TMP

          Filesize

          1KB

          MD5

          b8a3b8f4f42256c7b24bcbfbbbd8465b

          SHA1

          64ecf56bfb45e8f6aa323155a10e8a3a72e9a087

          SHA256

          34e1bbb560360bf5925db35dd6eaa742428738c9e72ed320237c4e8da8e86237

          SHA512

          882c657de6b3cd04f9e45ae260820a6f9965d450203101953d4bb439f3a306e312bccec52bc7760c3d00a3022a828fbd05dcd8789e9169d0247cad5a990e596a

        • memory/112-23-0x0000000004140000-0x0000000004178000-memory.dmp

          Filesize

          224KB

        • memory/112-2-0x0000000074CD0000-0x00000000753BE000-memory.dmp

          Filesize

          6.9MB

        • memory/112-1-0x0000000000CA0000-0x0000000000CF4000-memory.dmp

          Filesize

          336KB

        • memory/112-17-0x00000000003E0000-0x00000000003E8000-memory.dmp

          Filesize

          32KB

        • memory/112-19-0x0000000000C60000-0x0000000000CA4000-memory.dmp

          Filesize

          272KB

        • memory/112-20-0x0000000000470000-0x000000000047C000-memory.dmp

          Filesize

          48KB

        • memory/112-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

          Filesize

          4KB

        • memory/112-36-0x0000000074CD0000-0x00000000753BE000-memory.dmp

          Filesize

          6.9MB

        • memory/2420-33-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/2420-26-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/2420-35-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/2420-34-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/2420-30-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/2420-29-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/2420-24-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/2420-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2420-38-0x0000000000580000-0x000000000058A000-memory.dmp

          Filesize

          40KB

        • memory/2420-39-0x0000000000590000-0x00000000005AE000-memory.dmp

          Filesize

          120KB

        • memory/2420-40-0x00000000005F0000-0x00000000005FA000-memory.dmp

          Filesize

          40KB